By Manuel Rodriguez, Fraud Solutions Manager at SAS
The range of potential payment services has expanded rapidly over the last few years. Increasingly, we all want the flexibility of being able to pay with new payment methods, from contactless through to Apple Pay, mobile wallets and beyond. Digital natives, such as millennials, don’t just want this – they expect it. For banks, however, this demand for flexibility is a headache.
Banks and other financial institutions know that they have to adopt new payment methods to meet customer demand for convenience and flexibility. However, they also know that these new payment systems leave them open to new forms of fraud. The big question is how can they adapt to these new fraud types – to protect both themselves and customers – without creating poor customer experiences through large numbers of false positives?
Understanding payment fraud
There is no question that payment fraud has changed over the last few years. A few years ago, card fraud, from cloning cards, was a leading form of fraud. However, the use of card processing terminals that use Europay-Visa-Mastercard (EMV) technology has reduced this considerably. This technology – the gold standard for credit cards, using computer chips to authenticate and secure transactions – has been the norm in Europe for a while. Its use is now spreading to the US.
Card fraud has therefore migrated to “card not present” transactions, such as online purchases. Payment fraud is driven and supported by several risks, including data breaches at retailers, credit agencies and banks, and use of malware to obtain access to accounts. It is also, however, helped by moves towards faster payments, driven by both regulators and the industry. These are good for customers, but they also good for fraudsters. The faster it is to get funds or goods through fraudulent transactions, the less time banks have to detect the fraud.
Fraudsters always ahead
Fraudsters are faster and more adept than ever before. The issue for banks and other financial institutions is to recognise that fraudsters will always be ahead but to take action to address that. Fraud detection systems need to keep up, and there is little time for long-drawn-out checks. However, there is a catch. Fraud-prevention systems need to avoid too many false positives. Up to 10% of rejected orders are actually believed to be valid. In total, in one survey, 37% of merchants said that turning away good customers was a top concern.
New regulations are adding challenges. Instant Payments or Payments Services Directive 2 (PSD2) are enforcing new rules, needs and requirements. We need to fit into payment processes thresholds and other aspects to make payments faster, more available and smoother. On the other side, we need to apply proper security, customer authentication and risk-based approaches to monitor payments in a more complex environment involving banks and third-party providers.
Systems to catch fraud
There are many actions that banks can take to protect themselves and their customers from fraud. First, they must look at their systems, ensure they are connected and remove any silos. Disconnected systems are vulnerable to compromise.
Banks also have to move from rules-based to machine learning analytics systems for fraud detection. This approach gives them the chance to identify suspicious patterns and anomalies much faster, which is essential as more and more real-time payments systems come online. Real-time scoring and decision making should drive new systems, which should also take into account new forms of data, such as device fingerprints and information phone call routing.
Machine learning techniques include neural networks, regression techniques, decision trees, naïve Bayesian methods, clustering and network analysis. These approaches are particularly useful to detect rare payments fraud events hidden in big data sets. Machine learning tools can understand and learn from this type of data, and they can adapt to the changing behaviours associated with fraud through automated behavioural profiling and signatures.
They can automate models to find hidden insights without having to be programmed directly. This means that banks have some chance of keeping up with fraudsters. Machine learning techniques can also reduce the false positive rate by learning the behaviour of individual customers over time so that normal behaviour for an individual does not raise alerts.
With multiple analytics techniques available, banks can better detect fraud behaviours. But they can also monitor legitimate behaviour to provide enriched answers to business needs, different requirements and new regulations.
End-to-end and across channels
Ultimately, payment fraud detection systems have to be able to look at payment processes from end to end and also across channels. Gartner identifies five layers: entity link, cross-channel-centric, channel-centric, navigation-centric and end-point-centric. By looking across all five of these layers and drawing data from all points, machine learning systems can draw a complete picture of the transaction in the context of the customer.
This combination of rules-based and analytical techniques can monitor user behaviour with considerable accuracy and speed. It can, therefore, identify normal and unusual patterns very fast, even in real time. This makes it much harder for fraudsters to find gaps and loopholes, and easier to identify potential fraud accurately. It is essential for banks to move in this direction to protect themselves and their customers from payment fraud.